From 40e68ff7e963c7fcc9562ab6e5c82a7b7eaacbec Mon Sep 17 00:00:00 2001 From: Sjoerd Schipper Date: Fri, 13 Dec 2024 17:12:55 +0100 Subject: [PATCH] 1.6.0-beta.2 openforms setup configuration beta testing --- charts/openforms/Chart.yaml | 4 +- charts/openforms/templates/_helpers.tpl | 31 ++++++ .../templates/configuration-secrets.yaml | 14 +++ charts/openforms/templates/deployment.yaml | 2 + charts/openforms/templates/job-config.yaml | 97 +++++++++++++++++ charts/openforms/templates/secret.yaml | 3 - charts/openforms/values.yaml | 103 ++++++++++++------ 7 files changed, 218 insertions(+), 36 deletions(-) create mode 100644 charts/openforms/templates/configuration-secrets.yaml create mode 100644 charts/openforms/templates/job-config.yaml diff --git a/charts/openforms/Chart.yaml b/charts/openforms/Chart.yaml index c7747fa..8c12ae9 100644 --- a/charts/openforms/Chart.yaml +++ b/charts/openforms/Chart.yaml @@ -3,8 +3,8 @@ name: openforms description: Snel en eenvoudig slimme formulieren bouwen en publiceren type: application -version: 1.6.0-beta.1 -appVersion: setup-configuration +version: 1.6.0-beta.2 +appVersion: latest icon: https://open-forms.readthedocs.io/en/stable/_static/logo.svg dependencies: diff --git a/charts/openforms/templates/_helpers.tpl b/charts/openforms/templates/_helpers.tpl index 50fccd9..0f4a1ea 100644 --- a/charts/openforms/templates/_helpers.tpl +++ b/charts/openforms/templates/_helpers.tpl @@ -191,6 +191,37 @@ Flower selector labels app.kubernetes.io/name: {{ include "openforms.flowerFullname" . }} {{- end }} +{{/* +Create a name for Config cronjob +We truncate at 56 chars in order to provide space for the "-config" suffix +*/}} +{{- define "openforms.configName" -}} +{{ include "openforms.name" . | trunc 56 | trimSuffix "-" }}-config +{{- end }} + +{{/* +Create a default fully qualified name for config. +We truncate at 56 chars in order to provide space for the "-config" suffix +*/}} +{{- define "openforms.configFullname" -}} +{{ include "openforms.fullname" . | trunc 56 | trimSuffix "-" }}-config +{{- end }} + +{{/* +config labels +*/}} +{{- define "openforms.configLabels" -}} +{{ include "openforms.commonLabels" . }} +{{ include "openforms.configSelectorLabels" . }} +{{- end }} + +{{/* +config selector labels +*/}} +{{- define "openforms.configSelectorLabels" -}} +app.kubernetes.io/name: {{ include "openforms.configName" . }} +{{- end }} + {{/* Ingress annotations */}} diff --git a/charts/openforms/templates/configuration-secrets.yaml b/charts/openforms/templates/configuration-secrets.yaml new file mode 100644 index 0000000..d69db6d --- /dev/null +++ b/charts/openforms/templates/configuration-secrets.yaml @@ -0,0 +1,14 @@ +{{- if and .Values.global.configuration.enabled .Values.configuration.enabled}} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "openforms.fullname" . }}-config-secrets + labels: + {{- include "openforms.labels" . | nindent 4 }} +stringData: + {{- if .Values.global.configuration.secrets }} + {{- include "openforms.tplvalues.render" ( dict "value" .Values.global.configuration.secrets "context" $ ) | nindent 4 }} + {{ else }} + {{- include "openforms.tplvalues.render" ( dict "value" .Values.configuration.secrets "context" $ ) | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/openforms/templates/deployment.yaml b/charts/openforms/templates/deployment.yaml index 83a6c19..47b2aaf 100644 --- a/charts/openforms/templates/deployment.yaml +++ b/charts/openforms/templates/deployment.yaml @@ -42,6 +42,8 @@ spec: envFrom: - secretRef: name: {{ .Values.existingSecret | default (include "openforms.fullname" .) }} + - secretRef: + name: {{ include "openforms.fullname" . }}-config-secrets - configMapRef: name: {{ include "openforms.fullname" . }} env: diff --git a/charts/openforms/templates/job-config.yaml b/charts/openforms/templates/job-config.yaml new file mode 100644 index 0000000..3bff072 --- /dev/null +++ b/charts/openforms/templates/job-config.yaml @@ -0,0 +1,97 @@ +{{ if and .Values.global.configuration.enabled .Values.configuration.enabled .Values.configuration.job.enabled -}} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ include "openforms.configName" . }} + labels: + {{- include "openforms.configLabels" . | nindent 4 }} +spec: + backoffLimit: {{ .Values.configuration.job.backoffLimit }} + ttlSecondsAfterFinished: {{ .Values.configuration.job.ttlSecondsAfterFinished }} + template: + metadata: + annotations: + {{- with .Values.podAnnotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "openforms.configLabels" . | nindent 8 }} + {{- with .Values.podAnnotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "openforms.serviceAccountName" . }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + restartPolicy: {{ .Values.configuration.job.restartPolicy }} + containers: + - name: {{ .Chart.Name }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + envFrom: + - secretRef: + name: {{ .Values.existingSecret | default (include "openforms.fullname" .) }} + - secretRef: + name: {{ include "openforms.fullname" . }}-config-secrets + - configMapRef: + name: {{ include "openforms.fullname" . }} + env: + {{- if .Values.extraEnvVars }} + {{- include "openforms.tplvalues.render" (dict "value" .Values.extraEnvVars "context" $) | nindent 12 }} + {{- end }} + resources: + {{- toYaml .Values.configuration.job.resources | nindent 12 }} + command: + - "/bin/bash" + - "-c" + args: + - | + /usr/bin/envsubst < /app/configuration/configuration.yaml > /tmp/configuration.yaml && + /app/src/manage.py setup_configuration --yaml-file /tmp/configuration.yaml + volumeMounts: + - name: media + mountPath: /app/private_media + subPath: {{ .Values.persistence.privateMediaMountSubpath | default "openforms/private_media" }} + - name: media + mountPath: /app/media + subPath: {{ .Values.persistence.mediaMountSubpath | default "openforms/media" }} + - name: configuration + mountPath: /app/configuration/ + readOnly: true + {{- if .Values.extraVolumeMounts }} + {{- include "openforms.tplvalues.render" ( dict "value" .Values.extraVolumeMounts "context" $ ) | nindent 16 }} + {{- end }} + volumes: + - name: media + persistentVolumeClaim: + {{- if .Values.persistence.enabled }} + claimName: {{ if .Values.persistence.existingClaim }}{{ .Values.persistence.existingClaim }}{{- else }}{{ include "openforms.fullname" . }}{{- end }} + {{- else }} + emptyDir: { } + {{- end }} + - name: configuration + configMap: + name: {{ include "openforms.fullname" . }}-configuration + defaultMode: 0755 + {{- if .Values.extraVolumes }} + {{- include "openforms.tplvalues.render" ( dict "value" .Values.extraVolumes "context" $ ) | nindent 12 }} + {{- end }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} diff --git a/charts/openforms/templates/secret.yaml b/charts/openforms/templates/secret.yaml index 57a40c2..c097dd4 100644 --- a/charts/openforms/templates/secret.yaml +++ b/charts/openforms/templates/secret.yaml @@ -19,7 +19,4 @@ stringData: {{- if .Values.settings.email.password }} EMAIL_HOST_PASSWORD: {{ .Values.settings.email.password | toString | quote }} {{- end }} - {{ range .Values.extraSecrets }} - {{ .name }}: {{ .value | toString | quote }} - {{ end }} {{- end }} diff --git a/charts/openforms/values.yaml b/charts/openforms/values.yaml index e2cab91..30aa754 100644 --- a/charts/openforms/values.yaml +++ b/charts/openforms/values.yaml @@ -1,65 +1,106 @@ global: configuration: - enable: true - + enabled: false + secrets: {} settings: # -- Global databasehost, overrides setting.database.host databaseHost: "" -# extraSecrets Array with extra secrets -# e.g: -# extraSecrets: - # - name: objecttypen-test-token - # value: Token 171be5abaf41e7856b423ad513df1ef8f867ff48 - # - name: objecten-test-token - # value: Token 7657474c3d75f56ae0abd0d1bf7994b09964dca9 - # - name: documenten-test-secret - # value: doc-supersecret - # - name: catalogi-test-secret - # value: cat-supersecret - -extraSecrets: [] - configuration: - enable: false - # data: {} + enabled: false + initContainer: + # -- Run the setup configuration command in a init container + enabled: false + job: + # -- Run the setup configuration command as a job + enabled: true + backoffLimit: 6 + # -- 0 Will clean the job after it is finished + ttlSecondsAfterFinished: 0 + restartPolicy: OnFailure + # Note, this field is immutable + resources: {} + # limits: + # cpu: 200m + # memory: 256Mi + # requests: + # cpu: 100m + # memory: 128Mi + secrets: {} + # objecttypen_test_token: Token 171be5abaf41e7856b423ad513df1ef8f867ff48 + # objecten_test_token: Token 171be5abaf41e7856b423ad513df1ef8f867ff48 + # documenten_test_secret: documenten_supersecret + # catalogi_test_secret: catalogi_supersecret + # data: "" # e.g. # data: |- + # oidc_db_config_enable: False + # oidc_db_config_admin_auth: + # items: + # - identifier: admin-oidc + # enabled: True + # oidc_rp_client_id: testid + # oidc_rp_client_secret: 7DB3KUAAizYCcmZufpHRVOcD0TOkNO3I + # oidc_rp_scopes_list: + # - openid + # - email + # - profile + # oidc_rp_sign_algo: RS256 + # endpoint_config: + # oidc_op_discovery_endpoint: http://keycloak.example.com:/realms/test/ + # username_claim: + # - sub + # groups_claim: + # - roles + # claim_mapping: + # first_name: + # - given_name + # sync_groups: true + # sync_groups_glob_pattern: "*" + # default_groups: + # - Functioneel beheer + # make_users_staff: true + # superuser_group_names: + # - superuser + # oidc_use_nonce: true + # oidc_nonce_size: 32 + # oidc_state_size: 32 + # userinfo_claims_source: id_token # zgw_consumers_config_enable: True # zgw_consumers: # services: # - identifier: objecttypen-test # label: Objecttypen API test - # api_root: http://objecttypes-web:8000/api/v2/ + # api_root: http://objecttypes.example.com/api/v2/ # api_type: orc # auth_type: api_key # header_key: Authorization - # header_value: '${objecttypen-test-token}' + # header_value: '${objecttypen_test_token}' # - identifier: objecten-test # label: Objecten API test - # api_root: http://objects-web:8000/api/v2/ + # api_root: http://objects.example.com/api/v2/ # api_type: orc # auth_type: api_key # header_key: Authorization - # header_value: '${objecten-test-token}' + # header_value: '${objecten_test_token}' # - identifier: documenten-test # label: Documenten API test - # api_root: http://openzaak-web.local:8000/documenten/api/v1/ + # api_root: http://openzaak-web.example.com/documenten/api/v1/ # api_type: drc # auth_type: zgw # client_id: test_client_id - # secret: '${documenten-test-secret}' + # secret: '${documenten_test_secret}' # - identifier: catalogi-test # label: Catalogi API test - # api_root: http://openzaak-web.local:8000/catalogi/api/v1/ + # api_root: http://openzaak-web.example.com/catalogi/api/v1/ # api_type: ztc # auth_type: zgw # client_id: test_client_id - # secret: '${catalogi-test-secret}' + # secret: '${catalogi_test_secret}' # objects_api_config_enable: True # objects_api: @@ -68,19 +109,19 @@ configuration: # identifier: config-1 # objects_service_identifier: objecten-test # objecttypes_service_identifier: objecttypen-test - # drc_service_identifier: documenten-test + # documenten_service_identifier: documenten-test # catalogi_service_identifier: catalogi-test # catalogue_domain: TEST # catalogue_rsin: "000000000" # organisatie_rsin: "000000000" - # iot_submission_report: PDF Informatieobjecttype - # iot_submission_csv: CSV Informatieobjecttype - # iot_attachment: Attachment Informatieobjecttype + # document_type_submission_report: PDF Informatieobjecttype + # document_type_submission_csv: CSV Informatieobjecttype + # document_type_attachment: Attachment Informatieobjecttype # - name: Config 2 # identifier: config-2 # objects_service_identifier: objecten-test # objecttypes_service_identifier: objecttypen-test - # drc_service_identifier: documenten-test + # documenten_service_identifier: documenten-test # catalogi_service_identifier: catalogi-test # catalogue_domain: OTHER # catalogue_rsin: "000000000"